A malware campaign documented by Malwarebytes is using counterfeit Proton VPN websites, doctored utility downloads, gaming mods, and video-platform links to infect Windows users with an infostealer called NWHStealer. The threat matters because it combines familiar social engineering with evasive techniques that make malicious files look routine and harder for security tools to catch.
The operation shows how commodity malware distribution has matured. Attackers are not relying on a single booby-trapped installer; they are building a pipeline across fake sites, open code-hosting services, free hosting platforms, and YouTube videos, including some generated with AI, to push victims toward poisoned ZIP archives.
Why this campaign is unusually effective
NWHStealer is built for theft, not disruption. According to Malwarebytes, it targets browser-stored passwords, autofill data, and cryptocurrency wallet information, reaching into Chrome, Edge, Firefox, Opera, Brave, and other browsers while also scanning more than 25 wallet-related directories and registry locations. That breadth reflects a wider shift in cybercrime: credentials and wallet data can be resold quickly, making infostealers one of the most efficient tools in the criminal ecosystem.
The lures are also well chosen. VPN software, hardware monitors, game mods, mining tools, and cheat utilities all attract users who are accustomed to downloading ZIP files, running unsigned programs, or bypassing ordinary caution in pursuit of a specific tool. Fake Proton VPN pages are especially persuasive because they borrow trust from a widely recognized privacy brand while delivering trojanized installers that appear plausible at first glance.
How the malware gets in and stays hidden
Malwarebytes identified two main infection routes. One used malicious archives hosted on onworks[.]net and disguised as utilities such as HardwareVisualizer, Sidebar Diagnostics, and OhmGraphite. The other used fake Proton VPN sites serving ZIP files that paired a legitimate executable with a malicious DLL, a classic DLL hijacking setup that lets harmful code run under the cover of a trusted program.
Once launched, the malware uses layered evasion. The reported samples can decrypt payloads with AES-CBC through Windows cryptographic APIs, run directly in memory, inject into legitimate processes such as RegAsm.exe, and in some cases carry out process hollowing. Those methods matter because they reduce obvious signs of compromise on disk and blur the line between normal Windows activity and malicious execution.
The campaign goes further by abusing cmstp.exe to bypass User Account Control, generating a temporary INF file and approving the elevation prompt through Windows APIs. With elevated access, it can add Windows Defender exclusions, create scheduled tasks for persistence, and drop files that impersonate system processes such as svchost.exe or RuntimeBroker.exe. If its main command server fails, it can pull fallback infrastructure from Telegram, showing a level of resilience common in modern malware operations.
What users and organizations should take from it
The most important lesson is that appearance is no longer a reliable signal of legitimacy. Open platforms, cloned websites, and polished videos can all be part of a malicious delivery chain. A familiar product name, a professional-looking landing page, or a link in a video description does not establish trust.
Basic controls still matter. Users should download software only from official vendor sites, verify digital signatures and publisher details where available, and treat ZIP archives carrying installers or DLLs with particular caution. Organizations should watch for unexpected scheduled tasks, suspicious Defender exclusions, unusual use of tools such as cmstp.exe and RegAsm.exe, and browser-process injection activity. For a threat designed to steal before it is noticed, early skepticism is often the best defense.